Spam, a lot

The first one, which actually isn’t much of a surprise, is related to the NUWAR family of worms. As we all know, NUWAR has undergone several social engineering makeovers — from doomsday messages of war to CNN top stories and more recently, e-Card greetings. The latest spam is just a variant of the latter, as seen in the following screenshot:

However, based on the analysis by our Senior Threat Analyst PB Cruz, the new twist here is that unlike its predecessor, which instantly downloads the worm after a user clicks on the link on the message, the link on the new messages points to a Web page. The said page displays an error message saying that the user needs to install Microsoft Data Access to properly view the e-Card (see image).

If the tactic looks somewhat familiar, that’s because another malware family has been using it. ZLOB Trojans, after all, have this penchant for disguising itself as codecs that the user “needs” to install to view videos, right? Anyhow, even if the above link is not clicked, the page hosts a malicious JavaScript that takes advantage of (ironically) Microsoft Data Access Components (MDAC) vulnerability (as discussed in Microsoft Security Bulletin MS06-014) to download Trojan downloaders. These downloaders, in turn, download the NUWAR variant onto an affected system.

Trend Micro detects the malicious JavaScript as JS_DLOADER.PCT. The downloaders and the NUWAR variant, on the other hand, are detected as TROJ_DLOADER.KTY, TROJ_TIBS.AMA, and WORM_NUWAR.MV. Slight variations of both the spam message and the malware components have been spotted as well, although Trend Micro users are protected from them, as long as they keep their pattern files updated. 🙂

The second notable spam (or rather, spamming technique) comes in the form of special characters. Literally:

Notice the strikethroughts and all that extra symbols and characters. The messages all talk about — again not surprisingly — stocks, although given this heavily obfuscated tactic that’s almost suspicious, do spammers really expect to be taken seriously?

According to Lalaine Gregorio of the Content Security team, whoever created these messages are clearly just trying to avoid filtering techniques used by security applications. “Spamming is really cheap, so it doesn’t really matter if they send out nonsense mail,” Gregorio states. “Eventually someone will take the message seriously, which will then make them [the spammers] gain profit.”

Nonsense or not, spam still spells bad news.

Additional data provided by Lala Manly

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: